Digital signatures and certificates play a central role in software security. This article describes how to view the information that indicates when digital signatures and associated certificates are invalid.

How to tell if a digital signature is trustworthy

A trustworthy signature is valid, on the user account, on the computer that states it as valid. If the signature were opened on another computer, or another account, the signature may appear as invalid because that account may not trust the certificate issuer. Also, for a signature to be valid, the cryptographic integrity of the signature must be intact. This means that the signed content was not tampered with, and the signing certificate is not expired or revoked.

Invalid digital signatures

In Word 2010, PowerPoint 2010, and Excel 2010 invalid digital signatures are indicated by red text in the Signatures pane and a red X on the Signature Details dialog. The reasons that a digital signature can become invalid are as follows:

The digital signature is corrupt because its content has been tampered with.

The certificate was not issued by a trusted certificate authority (CA), For example it might be a self-signed certificate. If this is the case, you must choose to trust an untrusted issuer to make the signature valid again.

The certificate used to create the signature has been revoked, and no time stamp is available.

The following image is an example of the Signatures pane with an invalid signature.

View the Digital Signatures dialog

Open the file that contains the digital signature that you want to view.

Recoverable-error digital signatures

In Office 2010, there is a new classification category for digital signatures. Other than valid and invalid, in Office 2010 a signature can be a recoverable-error signature, which means that there is something wrong with the signature. But the error may be fixed to make the signature valid again. There are three scenarios for recoverable errors:

The veifier is offline (disconnected from the Internet) therefore making it impossible to check certificate-revocation data, or to verify time stamps if they are present.

The certificate used to create the signature has expired and no time stamp is available.

The root certificate authority who issued the certificate is not trusted.

The following image is an example of the Signatures pane with a recoverable error.

Important: If you experience a recoverable error, contact your system administrator, who may be able to change the signature's state to valid.

Partial digital signatures

In Office 2010, a valid digital signature signs certain parts of a file. However, you can create a signature that signs less than the parts required. This partial signature is cryptographically valid.

Office can read these signatures. However, they are likely not created by an Office program. If you encounter a partial signature and are unsure about how to continue, contact the IT administrator to help determine the origin of the signature.

What is a digital signature?

A digital signature is used to authenticate digital information — such as documents, e-mail messages, and macros — by using computer cryptography. Digital signatures help to establish the following assurances:

Authenticity The digital signature helps to assure that the signer is who they claim to be.

Integrity The digital signature helps to assure that the content has not been changed or tampered with since it was digitally signed.

Non-repudiation The digital signature helps to prove to all parties the origin of the signed content. "Repudiation" refers to the act of a signer's denying any association with the signed content.

To make these assurances, the content must be digitally signed by the content creator, using a signature that satisfies the following criteria:

The digital signature is valid.

The certificate associated with the digital signature is current (not expired).

The signing person or organization, known as the publisher, is trusted.

The certificate associated with the digital signature is issued to the signing publisher by a reputable certificate authority (CA).